bzp2010 opened a new pull request, #8068: URL: https://github.com/apache/apisix/pull/8068
### Description The current OIDC plugin for APISIX uses `lua-resty-session`, which requires encryption of the session, but we do not provide a default secret nor do we allow users to configure it directly. Therefore, according to the implementation principle in `lua-resty-session`, if no secret configuration is provided, it will generate one at initialization, yes, one at each worker, and they are all different. When a client uses a short connection or traffic passes through a load balancing component, it may request to a different worker each time, which causes decryption and hash verification failures. I think if we can allow users to set session secret through plugin configuration, we can solve this problem. ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (If not, please discuss on the [APISIX mailing list](https://github.com/apache/apisix/tree/master#community) first) <!-- Note 1. Mark the PR as draft until it's ready to be reviewed. 2. Always add/update tests for any changes unless you have a good reason. 3. Always update the documentation to reflect the changes made in the PR. 4. Make a new commit to resolve conversations instead of `push -f`. 5. To resolve merge conflicts, merge master instead of rebasing. 6. Use "request review" to notify the reviewer after making changes. 7. Only a reviewer can mark a conversation as resolved. --> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
